Here's the quote from one of Cisco documentations.
"The fixup protocol commands let you view, change, enable, or disable the
use of a service or protocol through the PIX Firewall. The ports you specify
are those that the PIX Firewall listens at for each respective service. You
can change the port value for each service except rsh. The fixup protocol
commands are always present in the configuration and are enabled by
default."
Here's an example of how to use static and conduit to allow outside user
access your internal email server:
static (inside,outside) <mail_public_ip> <mail_internal_ip> netmask
255.255.255.255
access-list acl_out permit tcp host <mail_public_ip> eq smtp any
access-group acl_out in interface outside
fixup protocol smtp 25
Larry
-----------------------------------
All,
On the PIX, I read that these fixup commands are used to sanitize the
protocols making
sure only certain valid cmds get passed along during the connection process.
fixup ftp
fixup mailhost
fixup sqlnet
Will this keep my users from proxying their napster, bearshare, etc.
connections out of port 80, 21, 25, 1521 etc. since none of the commands
that napster, bearshare,etc. sends during its setup process will be
considered valid commands for those ports when the fixup cmd is applied to
them.
Also, I wanted to clarify one more question, when I want to map an inside
IP and service to and outside IP and service I should use conduit and
static. When I want to create ACLs for the interfaces I should use the
access-list cmd, but when should I use the outbound/apply command? It seems
to be redunant since the access-list cmd suffices.
Thanks
---------------------------------
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo!
Mail.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
